https://feed.craftedsignal.io/products/office-excel/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 12 May 2026 18:35:04 +0000https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40362/Tue, 12 May 2026 18:35:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-40362/A heap-based buffer overflow vulnerability, identified as CVE-2026-40362, exists in Microsoft Office Excel, allowing an unauthenticated attacker with local access to execute arbitrary code.CVE-2026-40362 is a heap-based buffer overflow vulnerability affecting Microsoft Office Excel. This vulnerability allows an attacker with local access to execute arbitrary code. An unauthenticated attacker could exploit this vulnerability by crafting a malicious Excel file. User interaction is required, as the user must open the specially crafted file. Successful exploitation could lead to arbitrary code execution in the context of the current user. Defenders should prioritize patching this vulnerability to prevent potential exploitation.

Attack Chain

1. Attacker crafts a malicious Excel file (.xls or .xlsx) designed to trigger the heap-based buffer overflow.
2. The attacker delivers the malicious file to the target user. This could be via a shared network drive, removable media, or social engineering.
3. The target user opens the malicious Excel file with Microsoft Office Excel.
4. Excel parses the malicious file, triggering the heap-based buffer overflow when processing a specific data structure within the file.
5. The overflow allows the attacker to overwrite adjacent memory regions on the heap, potentially gaining control of program execution.
6. The attacker leverages the memory corruption to inject and execute malicious code within the Excel process.
7. The attacker’s code executes with the privileges of the user who opened the file, allowing for local code execution.
8. The attacker performs malicious actions such as installing malware, exfiltrating data, or further compromising the system.

Impact

Successful exploitation of CVE-2026-40362 allows an attacker to execute arbitrary code on the victim’s machine. Due to the local nature of the attack, the impact is limited to the compromised system. An attacker can leverage this vulnerability to gain a foothold on the system, potentially leading to data theft, malware installation, or further lateral movement within the network, depending on the user’s privileges.

Recommendation

• Apply the security update provided by Microsoft to patch CVE-2026-40362 in Microsoft Office Excel.
• Deploy the Sigma rule “Detect Suspicious Excel File Execution” to identify potential exploitation attempts based on process creation events.
• Educate users about the risks of opening untrusted or unsolicited Excel files.
• Monitor process execution for unusual or unexpected child processes spawned by Excel, as detected by “Detect Suspicious Excel Spawning”.

]]>highadvisorycveheap-based buffer overflowexcelcode executionwindowshttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-40360-excel-oob-read/Tue, 12 May 2026 18:34:32 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-40360-excel-oob-read/CVE-2026-40360 is an out-of-bounds read vulnerability in Microsoft Office Excel that allows an unauthorized attacker to disclose sensitive information locally.CVE-2026-40360 is a security vulnerability affecting Microsoft Office Excel. This out-of-bounds read vulnerability allows an unauthorized attacker to potentially disclose sensitive information locally. Exploitation of this vulnerability requires local access and user interaction as a prerequisite. This vulnerability was reported to Microsoft and assigned a CVSS base score of 7.8, indicating a high severity level. Successful exploitation results in information disclosure, though the scope of disclosure and potential impact on confidentiality is not detailed in the advisory.

Attack Chain

1. The attacker crafts a malicious Excel file containing specific data structures designed to trigger the out-of-bounds read condition.
2. The attacker delivers the crafted Excel file to the victim through social engineering.
3. The victim opens the malicious Excel file using a vulnerable version of Microsoft Office Excel.
4. Excel attempts to read data from a memory location outside the intended buffer due to the crafted file.
5. The out-of-bounds read occurs, potentially disclosing sensitive data from adjacent memory regions.
6. The disclosed data is then accessible to the attacker, who can analyze it for sensitive information.

Impact

Successful exploitation of CVE-2026-40360 allows an attacker to disclose information locally. The CVSS score of 7.8 suggests that, while local access and user interaction are required, the potential impact on confidentiality is high. The advisory does not specify the type or amount of information that can be disclosed or the number of potential victims, but the impact could include exposure of sensitive data within the Excel file or from other memory locations accessible to the Excel process.

Recommendation

• Apply the security update released by Microsoft to address CVE-2026-40360 as referenced in the advisory URL.
• Deploy the Sigma rule “Detect Excel Out-of-Bounds Read via Formula” to identify potential exploitation attempts based on formula patterns in Excel files.
• Enable process creation logging to monitor for suspicious Excel processes as detected by the “Detect Suspicious Excel Process Creation” Sigma rule.

]]>mediumadvisorycveinformation-disclosureexcelhttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-40359-excel-uaf/Tue, 12 May 2026 18:34:19 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-40359-excel-uaf/CVE-2026-40359 is a use-after-free vulnerability in Microsoft Office Excel that allows a local attacker to execute arbitrary code by exploiting memory corruption.CVE-2026-40359 is a use-after-free (UAF) vulnerability affecting Microsoft Office Excel. This vulnerability allows an unauthorized, local attacker to execute arbitrary code. The vulnerability exists due to improper handling of memory objects within Excel, leading to a situation where freed memory is accessed again. Successful exploitation allows the attacker to gain control over the affected system. This vulnerability was published on May 12, 2026, and poses a significant risk to systems running vulnerable versions of Microsoft Excel. An attacker could potentially leverage this vulnerability to install malware, steal sensitive data, or perform other malicious activities.

Attack Chain

1. The attacker crafts a malicious Excel file designed to trigger the use-after-free condition.
2. The victim opens the specially crafted Excel file.
3. Excel attempts to access a memory location that has already been freed.
4. The use-after-free condition leads to memory corruption.
5. The attacker leverages the memory corruption to overwrite critical data structures within the Excel process.
6. The attacker gains control of the program counter by overwriting a function pointer or similar mechanism.
7. The attacker redirects execution flow to attacker-controlled code.
8. The attacker executes arbitrary code within the context of the Excel process, potentially gaining local code execution.

Impact

Successful exploitation of CVE-2026-40359 allows an attacker to execute arbitrary code locally on a targeted system. Given the ubiquitous use of Microsoft Excel in various sectors, a successful exploit can lead to significant damage, including data theft, malware installation, and potential system compromise. The CVSS v3.1 base score of 7.8 reflects the high potential impact, especially considering the ease of local exploitation if a user opens a malicious Excel file.

Recommendation

• Apply the security update provided by Microsoft to patch CVE-2026-40359 in Microsoft Office Excel as soon as possible, as referenced in the provided URL.
• Deploy the Sigma rule Detect Excel Use-After-Free via Suspicious Process Creation to identify potential exploitation attempts based on unusual processes spawned by Excel.
• Enable process creation logging to capture events necessary for the Sigma rule.

]]>highadvisoryuse-after-freecode executionexcel